rspamd: Use redis over a unix socket by default

Both rspamd and redis run on the same host by default, so a UNIX domain
socket is the cheapest way to facilitate that communication.

It also allows us to get rid of overly complicated IP adddress parsing
logic, that we can shift onto the user if they need it.

default.nix

@@ -944,28 +944,19 @@ in
       address = mkOption {
         type = types.str;
         # read the default from nixos' redis module
-        default = let
+        default = config.services.redis.servers.rspamd.unixSocket;
-          cf = config.services.redis.servers.rspamd.bind;
+        defaultText = lib.literalExpression "config.services.redis.servers.rspamd.unixSocket";
-          cfdefault = if cf == null then "127.0.0.1" else cf;
-          ips = lib.strings.splitString " " cfdefault;
-          ip = lib.lists.head (ips ++ [ "127.0.0.1" ]);
-          isIpv6 = ip: lib.lists.elem ":" (lib.stringToCharacters ip);
-        in
-        if (ip == "0.0.0.0" || ip == "::")
-        then "127.0.0.1"
-        else if isIpv6 ip then "[${ip}]" else ip;
-        defaultText = lib.literalMD "computed from `config.services.redis.servers.rspamd.bind`";
         description = ''
-          Address that rspamd should use to contact redis.
+          Path, IP address or hostname that Rspamd should use to contact Redis.
         '';
       };
 
       port = mkOption {
-        type = types.port;
+        type = with types; nullOr port;
-        default = config.services.redis.servers.rspamd.port;
+        default = null;
-        defaultText = lib.literalExpression "config.services.redis.servers.rspamd.port";
+        example = lib.literalExpression "config.services.redis.servers.rspamd.port";
         description = ''
-          Port that rspamd should use to contact redis.
+          Port that Rspamd should use to contact Redis.
         '';
       };
 

docs/release-notes.rst

@@ -1,6 +1,14 @@
 Release Notes
 =============
 
+NixOS 25.05
+-----------
+
+- Rspamd now connects to Redis over its Unix Domain Socket by default
+  (`merge request <https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/merge_requests/375` __)
+  - If you need to revert TCP connections, configure ``mailserver.redis.address`
+    to reference the value of ``config.services.redis.servers.rspamd.bind``.
+
 NixOS 24.11
 -----------
 

mail-server/rspamd.nix

@@ -42,7 +42,11 @@ in
               extended_spam_headers = true;
           ''; };
           "redis.conf" = { text = ''
-              servers = "${cfg.redis.address}:${toString cfg.redis.port}";
+              servers = "${if cfg.redis.port == null
+                then
+                  cfg.redis.address
+                else
+                  "${cfg.redis.address}:${toString cfg.redis.port}"}";
           '' + (lib.optionalString (cfg.redis.password != null) ''
               password = "${cfg.redis.password}";
           ''); };
@@ -113,14 +117,12 @@ in
 
     };
 
-    services.redis.servers.rspamd = {
+    services.redis.servers.rspamd.enable = lib.mkDefault true;
-      enable = lib.mkDefault true;
-      port = lib.mkDefault 6380;
-    };
 
     systemd.services.rspamd = {
       requires = [ "redis-rspamd.service" ] ++ (lib.optional cfg.virusScanning "clamav-daemon.service");
       after = [ "redis-rspamd.service" ] ++ (lib.optional cfg.virusScanning "clamav-daemon.service");
+      serviceConfig.SupplementaryGroups = [ config.services.redis.servers.rspamd.group ];
     };
 
     systemd.services.rspamd-dmarc-reporter = lib.optionalAttrs (cfg.dmarcReporting.enable) {